diff --git a/cfi_backward.adoc b/cfi_backward.adoc index 5ed4c5c..77de4d8 100644 --- a/cfi_backward.adoc +++ b/cfi_backward.adoc @@ -786,16 +786,16 @@ page. When `menvcfg.SSE=0`, this encoding remains reserved. When `V=1` and The following faults may occur: -. If the accessed page is a shadow stack page: +. If the accessed page is a shadow stack page (`pte.xwr=010b`): .. Stores other than `SSAMOSWAP`, `SSPUSH`, and `C.SSPUSH` cause store/AMO access-fault exception. .. Implicit accesses cause an access-fault exception corresponding to the original access type. -. If the accessed page has write or execute permission or if the page is in - non-idempotent memory: +. If the accessed page is read-write (`pte.xwr=?11b`) or execute-only + (`pte.xwr=100b`) page or if the page is in non-idempotent memory: .. `SSAMOSWAP`, `C.SSPUSH`, and `SSPUSH` cause a store/AMO access-fault. .. `C.SSPOPCHK` and `SSPOPCHK` cause a load access-fault. -. If the accessed page has read-only permissions: +. If the accessed page has read-only (`pte.xwr=001b`) permissions: .. `SSAMOSWAP`, `C.SSPUSH`, and `SSPUSH` cause a store/AMO page-fault. .. `C.SSPOPCHK` and `SSPOPCHK` cause a load page-fault. @@ -821,9 +821,9 @@ On implementations where address-misaligned exception is prioritized higher than access-fault exception, a trap handler that emulates misaligned stores must cause an access-fault exception if store is being made to a shadow stack page. -Shadow stack instructions cause an access-fault if the accessed page is writeable -or executable or if the page is in non-idempotent memory to similarly indicate -fatality. +Shadow stack instructions cause an access-fault if the accessed page is +read-writeable or is executable or if the page is in non-idempotent memory to +similarly indicate fatality. Shadow stack instructions cause a page-fault if the accessed page is read-only to support copy-on-write (COW) of a shadow stack page. If the page had been @@ -856,14 +856,14 @@ cite:[PRIV] is modified as follows: PAGESIZE` and go to step 2. 5. A leaf PTE has been found. If the memory access is by a shadow stack - instruction and `pte.x == 1b` or `pte.w == 1b`, then cause an access-fault - exception corresponding to the access type. If the memory access is either a - non-shadow-stack store/AMO or an implicit access, and `pte.xwr == 010b`, then - cause an access-fault exception corresponding to the original access type. - If the requested memory access is not allowed by the `pte.r`, `pte.w`, - `pte.x`, and `pte.u` bits, given the current privilege mode and the value of - the `SUM` and `MXR` fields of the `mstatus` register, stop and raise a - page-fault exception corresponding to the original access type. + instruction and `pte.xwr != 010b` or `pte.xwr != 001b`, then cause an + access-fault exception corresponding to the access type. If the memory access + is either a non-shadow-stack store/AMO or an implicit access, and + `pte.xwr == 010b`, then cause an access-fault exception corresponding to the + original access type. If the requested memory access is not allowed by the + `pte.r`, `pte.w`, `pte.x`, and `pte.u` bits, given the current privilege mode + and the value of the `SUM` and `MXR` fields of the `mstatus` register, stop + and raise a page-fault exception corresponding to the original access type. The PMA checks are extended to require memory referenced by `SSAMOSWAP`, `SSPUSH`, `C.SSPUSH`, `C.SSPOPCHK`, and `SSPOPCHK` to be idempotent.